SECCON Online CTF 2015 - Reverse-Engineering Android APK 2

The key is stored in the application, but you will need to hack the server.( *Do not use your real email address.)http://scontents.quals.seccon.jp/files/app-release-apk.pwn.seccon.jp-v1.3.apk

Lets extract the classes.dex file from the archive and use dex2jar [1] to convert the Dalvik code to a jar file containing Java Bytecode, so we can decompile it with jd [2].

Browsing through the Application we can see 4 packages, a.a.a, android.support, b.a.a.a, and kr.repo.h2spice.yekehtmai. The app is obfuscated using simple name mangling, no big deal. The first package is really the Volley framework [3], which means we do not have to analyse it any further. The support library and the third package are boring as well, which leaves us with kr.repo.h2spice.yekehtmai containing the actual application core.

The app contains 3 activities: MainActivity, RegisterActivity, and WelcomeActivity. Lets start by analysing the entry-point activity MainActivity. After creating a layout containing two buttons, two text-views and a couple of other widgets, onCreate calls into this.g.a():

So the application checks whether we are already logged in, and if so continues on to the WelcomeActivity. Otherwise, this MainActivity with the two text-boxes is used as a login screen. Additionally, it has a further button which leads to the registration activity.

It sends an HTTP POST request to http://apk.pwn.seccon.jp/login.php, which on success will return back the username and a user id in the uid parameter. The first 16 bytes of this user id are then used together with a base64-encoded string in method c.a, which performs this:

So this string fuO/gyps1L1JZwet4jYaU0hNvIxa/ncffqy+3fEHIn4= is probably the encrypted flag (recall the problem description claiming that the flag is within the application). The decryption key is the user id from one specific user - but which one?

Lets see how the registration and login process works. Analysing the registration activity, we can see that the HTTP POST request parameters are encrypted using the same scheme as illustrated above, however with different keys. Instead of reversing the key derivation procedure, I quickly disassembled the app into smali code using apktool [4] and modified the encryption method in /smali/kr/repo/h2spice/yekehtmai/c.smali, adding Log.d calls to dump the encryption keys:

Installing the modified app on an emulator, running it and creating an account / logging in reveals the following keys from adb logcat -s "BOOP":

D/BOOP ( 1705): foo_usernameD/BOOP ( 1705): 9845674983296465

The key for registration encryption is 9845674983296465, and for login it is 3246847986364861. At this point, we are done analysing the application. Time to hack their server.

Using a couple of sample usernames, emails, and passwords to register new accounts, it becomes evident that the email parameter is vulnerable to SQL injection, because the server suddenly reports back generic errors or does not answer at all. After some probing, the login SQL query seems to look like this: 'SELECT <some columns> FROM <some table> WHERE <column for email> = ' + user_controlled_email

A bit more blind trial and error tells us that the query selects 8 columns from the table users. With this query, we can leak the column name for the user id (z@z.z is a dummy email I used in a previous account registration):

z@z.z' AND 1 in (SELECT 1 FROM information_schema.columns WHERE table_name = 'users' AND column_name LIKE '%s%c%%') ; #

The %s is for the leaked name so far, and %c is for the current character guess. After a couple of requests, we find the user id column name to be unique_id.

Now we can leak some user ids (note that the table also contains an integer id field for the primary key) from users with low numeric ids:

z@z.z' AND 1 in (SELECT 1 FROM users WHERE id = %d AND unique_id LIKE '%s%c%%')

Using ids 1 and 2 yields nothing of interest, but the unique_id from id=3 successfully decrypts the flag! The unique_id is a159c1f7097ba804: